SAML Flow

Owned by
Jan Panoušek
Jun 14, 2024
2 min read

There are two basic flows, depending on where the end user starts. 

Service Provider Initiated (Sign-on)

In this flow the authentication process is triggered from the Pricefx application.

  1. User opens the URL: https://<instanceDNS>/pricefx/<partition>/saml/signon​

  2. Pricefx sends a redirect to the browser that includes a SAMLRequest URL parameter.
    This SAMLRequest contains the entityID and the replyURL / ACS​. The redirect target is the configured IdP URL.

  3. IdP shows a login screen or authenticates the user right away based on a previous login​.

  4. Once authenticated, the IdP sends an auto-submit HTML form to the browser with the target being the ACS (i.e. the …/saml/consume/ URL) and the form content being the SAMLResponse​.

  5. Pricefx verifies the response payload (various checks including a signature verification)​. 

  6. Once verified, the application sends a redirect based on the RelayState and issues a JWT auth cookie​.

This is what SP initiated flow looks like in the context of Pricefx integrated into Salesforce:

  1. The canvas app makes a call to the Pricefx backend with a sign-on call which is defined in the canvas app URL.

  2. After successful request validation, the backend redirects to the URL specified in the SAML IdP Provider URL.

  3. A third party IDP service (e.g. Okta), after successful user authentication, redirects to the Pricefx consume URL.

  4. The backend validates the consume request and responds with a relay state if the request is valid.

  5. The canvas app loads the content to which the relay state points.

Identity Provider Initiated (Consume)

This scenario is simpler than the first one. Essentially, the application sends SAML authentication directly to the consume URL.

Compared to the SP Initiated flow, only these last three steps apply: 

  1. Once authenticated, the IdP sends an auto-submit HTML form to the browser with the target being the ACS (i.e. the …/saml/consume/ URL) and the form content being the SAMLResponse​.

  2. Pricefx verifies the response payload (various checks including a signature verification)​. 

  3. Once verified, the application sends a redirect based on the RelayState and issues a JWT auth cookie​.

IP initiated flow in the context of Pricefx integrated into Salesforce:

  1. Open the Pricefx canvas app in Salesforce.

  2. The canvas app makes a call to Pricefx backend with a consume call (defined in ACS URL).

  3. The backend validates the consume request and responds with a relay state if the request is valid.

  4. The canvas app loads the content to which the relay state points.

  5. The Pricefx canvas app starts to load.

Found an issue in documentation? Write to us.

 
Pricefx version 12.0